Sony Data Breach Tally Rises to 101 Million Users

The data breach disclosures from Sony gets progressively grimmer as the company admits that 24.6 million Sony Online Entertainment users have been compromised.

Sony has admitted that the intruders that stole data from
the PlayStation Network and Qriocity music and video service also breached its
Sony Online Entertainment service.
The personal information of an additional 24.6 million
gamers who'd registered on the Sony Online Entertainment service was compromised,
Sony disclosed late in the day on May 2. Names, home addresses, email
addresses, dates of birth, phone numbers and gender information were stolen.

Sony disclosed on April 27 that thieves had stolen account
information of up to 77 million users on the PlayStation
Network and Qriocity. That breach
affected primarily PlayStation owners. This latest disclosure means that
account information of more than 101 million users has been compromised by this
network intrusion.

Most SOE users are not PlayStation owners, but play games on
Facebook and on the PC. SOE powers multiplayer games including EverQuest II,
Star Wars Galaxies, Free Realms and DC Universe as well as Facebook-based
Fortune League.
"We had previously believed that SOE customer data had not been
obtained in the cyber-attacks on the company," Sony said in its message to
customers. "On May 1, we concluded that SOE account information may have been
stolen."
While the company had no actual evidence that credit card
information had been stolen, it said it was erring on the side of caution to
notify the users of the possibility. That was not the case for SOE, as direct
debit details of 10,700 customers in Austria, Spain, the Netherlands and
Germany were stolen. Also taken were credit or debit card details of 12,700
non-United States customers from an "outdated database from 2007," according to
the company. Sony emphasized the three-digit security codes had not been stored
and were not compromised. The card numbers and expiration dates were securely encrypted,
according to the company.

"There is no evidence that our main credit card database was
compromised. It is in a completely separate and secured environment," Sony said
in its message.
Sony said SOE was breached between April 16 and 17, the same
time PSN
and Qriocity was compromised. Sony shut down those services on April 20, but
didn't take SOE offline until May 1.
"In the course of our investigation into the intrusion
into our systems we have discovered an issue that warrants enough concern for
us to take the service down, effective immediately," Sony said in its
maintenance note.
Sony said it is working with the FBI and continuing its own
investigation while working to restore all services.
Sony reminded users to be aware of scams that ask for
personal or sensitive information and that U.S.-based customers can place a
free fraud alert with national credit reporting agencies to protect themselves
from credit card fraud. However, Equifax, one of the major credit bureaus,
warned users that the alerts were not sufficient protection against identity
theft.
"Although fraud alerts have long been recognized as one
of the strongest methods of identity protection, they simply aren't
enough," says Trey Loughran, president of Equifax Personal Information
Solutions, told eWEEK. Existing account information such as credit card numbers
are vulnerable even with an active fraud alert in place, Loughran said. It is
most useful against new account fraud, but won't prevent identity thieves from
using the numbers to rack up charges on existing accounts.
Sony is overhauling SOE's security procedures, much like the
current effort to rebuild PSN. While rumors surfaced on underground
hacking forums that the thieves were offering the stolen numbers for sale,
Sony said the rumors were not true. "There is no evidence that our main
credit card database was compromised. It is in a completely separate and
secured environment," Patrick Seybold, Sony's senior director of corporate
communications and social media wrote on the PlayStation
blog.
There are "no consequences" for companies that
"under-invest" in security, Phil Lieberman, CEO of Lieberman Software, told
eWEEK. As such, users should "always assume" that companies asking for personal
information are "totally incompetent at securing the data," Lieberman said.
Three senior executives from Sony
formally apologized at a press conference on May 1. SOE customers will
receive 30 free days added to their subscriptions as well as an additional day
for each day the system is down.